ALARMS & INTERLOCKS
Alarm systems have a very close relationship to safety shutdown systems (SIS) but they do not
the same function as a SIS. Alarm systems are essential to maintaining integrity of processing
units. Alarm systems alert operators to plant conditions, such as deviation from normal operating
limits and to abnormal events, which require timely action or assessment.
Alarm systems are not normally safety related, but do have a role in enabling operators to reduce
the demand on the safety related systems, thus improving overall plant safety.
Types of Alarm Systems
Process Alarms
These alarms may be to do with efficiency of the process or indicate defects in the equipment.
This type of alarm is normally incorporated into the plant control system (typically a DCS) and
shares the same sensors as the control system.
Machinery or Equipment Alarms
These alarms assist with detection of problems with equipment and do not directly affect the
operation of the process.
Safety Related Alarms
These alarms are used to alert operators to a condition that may be potentially dangerous or
damaging for the plant. Such alarms should normally have a high priority and where they are
involved in protecting against mal-operation by the control system they should be independent of
the devices they are monitoring. In many cases these alarms are generated by the safety
shutdown system itself.
Shutdown Alarms
This type of alarm tells the operator that an automatic shutdown event has been reached and has
been initiated by the SIS.
General Guidelines on Alarm Systems
Some guidance on alarm settings, human interface (alarm presentation), alarm processing and
system management controls for both safety related and other alarm systems include the
following:
The alarm system should be designed to appropriate safety integrity level (SIL 1 or 2)
with the designated reliability
The alarm system should be independent from the process control system and other
alarms unless it has also been designated safety related
� The operator should have a clear written alarm response procedure for each alarm which
his simple, obvious and invariant, and in which he is trained
The alarms should be presented in an obvious manner, distinguishable from other alarms,
have the highest priority, and remain on view at all times when it is active
The claimed operator workload and performance should be stated and verified
Alarms which are not designated as safety should be carefully designed to ensure that they fulfill
their role in reducing demands on safety related systems.
For all alarms, regardless of their safety designation, attention is required to ensure that under
abnormal condition such as severe disturbance, onset of hazard, or emergency situations, the
alarm system is remains effective given the limitations of human response. The extent to which
the alarm system survives common cause failures, such as a power loss, should also be
adequately defined.
The following sections discuss various considerations in implementing an effective alarm
system.
Alarm Settings
When an abnormal condition occurs, usually more than one alarms may be actuated. In a
shutdown situation, one trip could cause a series of alarms to respond almost simultaneously. In
some situations, it might be desirable to determine which alarm was the first to respond. The
order in which the alarms go off may affect the operating personnel's perception as to what has
occurred and subsequent action taken.
In the Standard Sequence, it is not possible to tell which alarm was initiated first. The First-Out
Sequence, on the other hand, has the advantage of identifying the first initiating condition that
caused the shutdown. After the first-out system trips and is acknowledged by the operator, the
alarm that tripped first stays flashing while the other alarms in the first-out sequence are
indicated by a steady lighted window.
However, it should be noted that the first alarm to respond may not be the one that initiated the
trip. This is because all of the process variables, equipment, and interlock components have
different detection and response speed.
There are also pre-alarms that warn the operating personnel to the fact that there is a potentially
dangerous trend developing and to give the operating personnel some time to take action to
correct the problem before matters reach the point where the emergency shutdown is activated.
The type of alarm and its setting should be established so as to enable the operator to make the
necessary assessment and take the required timely action. Settings should be documented and
controlled in accordance with the alarm system management controls. A fundamental reason for
having an alarm should be to prompt an operator action (i.e. making a control change).
Frequently there are alarms implemented that require no operator action, e.g. simply for status
indication. These alarms are "in" during normal operations. Although an argument can be made
�to justify the implementation of "monitoring" a value more closely (e.g. during a product switch
in a processing system), this approach should be used with caution since it is an easy way to
justify adding volumes of alarms.
Often in configuring alarm systems there is confusion over instrumentation redundancy (e.g. due
to reliability problems) and information redundancy. This resulted in alarm conditions that have
multiple alarms indicating the same situation, e.g. multiple level transmitters on a knock-out
drum.
Also, alarms with improper set points may case alarm cycling, e.g. 2 alarms taking turns to
activate one after the other.
Human Interface (Alarm Presentation)
The human interface should be suitable. Alarms may be presented either on annunciator panel,
individual indicators, VDU screen, or programmable display device. Alarm displays may be
color-coded according to their function. An example can be as follows:
Alarms Yellow
Pre-alarms Orange
Shutdown Red
Bypass Red
Alarms lists should be carefully designed to ensure that high priority alarms are readily
identified, that low priority alarms are not overlooked, and that the list remains readable even
during times of high alarm activity or with repeat alarms.
Alarms should be prioritized in terms of which alarms require the most urgent operator attention.
Allowing alarms to be added to an alarm system without explicit priority criteria can result in
differing priorities being assigned alarms that have the same consequences. A recommended
breakdown of alarms into priorities for a process unit is: 14% High Priority, 44% Medium
Priority, 42% Low Priority.
Alarms should be presented within the operator’s field of view, and use consistent presentation
style (color, flash rate, naming convention).
Each alarm should provide sufficient operator information for the alarm condition, plant affected,
action required, alarm priority, time of alarm and alarm status to be readily identified.
Ambiguous or confusing alarm messages should be avoided, e.g. when a boiler feed water pump
had tripped the message should be "BFW Pump Tripped" and not "BFW Pump Low Pressure".
One of the most overlooked aspects of alarm system configuration is meshing the alarms with
the displays. Making the wrong choices in meshing the 2 can have far reaching consequences
and can slow the operator in reaching the problem area of the process.
�Another point that should be taken into consideration when meshing alarms with the displays is
how the alarm colors relate to others used in the displays.
Color coding used for the alarms should not conflict with those used in any other part of the
display system. Color coding conflicts cause information processing delays as the operator has to
decipher in what context the color is being used, e.g. "RED" for emergency vs. for
pump/fan/motor status, valve closed, etc.
The visual display device may be augmented by audible warnings that should at a level
considerably higher than the ambient noise at the signal frequency. Where there are multiple
audible warnings, they should be designed so that they are readily distinguished from each other
and from emergency alarm systems. They should be designed to avoid distraction of the operator
in high operator workload situations. Where both constant frequency and variable frequency
(including pulsed or intermittent) signals are used, then the later should denote a higher level of
danger or a more urgent need for intervention.
Alarm Processing
The alarms should be processed in such a manner as to avoid operator overload at all times
(alarm floods). The presentation of alarms should not exceed that which the operator is capable
of acting upon, or alternatively the alarms should be prioritized and presented in such a way that
the operator may deal with the most important alarms without distraction of the others.
Applicable alarm processing techniques include grouping and first-up alarms, eclipsing of lower
grade alarms (e.g. suppression high alarm when the high-high activates) suppression of out of
service plant alarms, suppression of selected alarms during certain operating modes, automatic
alarm load shedding and shelving. The alarm processing should ensure that fleeting or repeating
alarms do not result in operator overload even under the most severe conditions. A number of
alarm processing techniques (e.g. filtering, deadband, debounce timers, shelving) are available in
the Standards.
One study showed that operators having to make more than 14 control movers per hour and
answering 20 or more alarms per hour (one alarm every 3 minutes) are excessively loaded.
Care should be taken in the use of shelving or suppression to ensure that controls exist to ensure
that alarms are returned to an active state when they are relevant to plant operation.
Alarm System Management Procedures
Management systems should be in place to ensure that the alarm system is operated, maintained
and modified in a controlled manner. Alarm response procedures should be available, and alarm
parameters should be documented.
The alarm selection process is best handled in a group setting. During the alarm assignment
process, the group should review the consequences of missing an alarm before a priority is
�assigned. This is an important step in that it helps maintain a consistency between consequences
and priorities.
The performance of the alarms system should be assessed and monitored to ensure that it is
effective during normal and abnormal plant conditions. The monitoring should include
evaluation of the alarm presentation rate, operator acceptance and response times, operator
workload, standing alarm count and duration, repeat or nuisance alarms, and operator views of
operability of the system. Monitoring may be achieved by regular and systematic auditing.
Matters which are not worthy of operator attention should not be alarmed.
Logging may be a suitable alternative for engineering or discrepancy events to prevent
unnecessary standing alarms. A system for assessing the significance of such logged events to
ensure timely intervention by maintenance personnel may be required.
Interlocks: Basic Design Principles
Interlock circuits and their components should be designed to actuate the final devices (e.g.
control valves) in the direction required to cause the process to fail-safe upon loss of power.
A good principle to follow is this: "every system is to fail to its lowest energy state or to a state
away from its critical operating limit". In other words, each process should be analyzed to
determine the major source of energy for operation, e.g. steam to reboiler, exothermic (i.e. heat
releasing) reaction.
Decreasing the amount of energy reduces the risk of equipment exceeding the design limits, or at
least minimizes the potential damage if the limits are exceeded. For the reboiler example, a fail-
safe design would trip the steam supply to the reboiler. In the exothermic reaction example, a
fail-safe design would trip the feed to the reactor and/or the fuel to the reactor heater. The
pressure control loop seen earlier is also another example of fail-safe design.
Protection systems should indicate that a demand to perform a safety function has been made and
that the necessary actions have been performed.
Manual vs. Automatic Operation of Interlock Systems
Operation of an interlock system may take place either through manual or automatic trip.
In a manual trip, the interlock system is manually actuated from a switch or pushbutton, which
may be located on a local panel in the field or in the control room. A manual trip allows an
operator to trip the system independently of the interlock system in the event of a hazardous
situation developing.
�An automatic trip, as the name implies, is automatically activated when a hazardous situation is
detected. A common example is the de-energizing of a solenoid valve that fails a control valve to
its safe position.
Manual vs. Automatic Reset of Interlocks
A tripped component (e.g. a solenoid valve) needs to be reset after a trip had been initiated. The
reset may be done either automatically or manually.
Self-Canceling Interlock has automatic reset that returns the interlock system to normal
operation when the usual process conditions had been re-established or when the offending
situation had been effectively dealt with.
Manual Reset Interlock requires the operator to re-initiate the process before continuing the
operation of the equipment involved. This method is generally preferable over automatic reset
because it requires an investigation of the possible causes for the trip. Positive action by the
operating personnel to return the operating conditions to normal is required before the interlock
can be cancelled.
Manual reset on a solenoid valve is most commonly carried out by the use of a latching lever that
locks the valve when a trip occurs. Unlatch of the lever is required to return the solenoid valve to
its normal operation. Alternatively, a solenoid valve can simply be reset by the use of a
pushbutton that energizes the valve.
An example of automatic trip system with manual reset is shown in the Figure, whereby an
interlock system is used to protect the vessel against low liquid level.
When the liquid level in the vessel reaches the critical low level, this will be detected by the low
low level switch (LSLL), which will trigger the interlock system to take protective measures.
�Under the system shown, the solenoid valve will be de-energized. This will cut off the
instrument air (IA) supply. Loss of air will result in the chopper valve failing to its closed
position, thus preventing the potential hazard caused by no liquid level in the vessel which may
have the consequence of vapor escaping through the bottom of the vessel. In addition, to protect
the pump in the event of valve shut-off, the interlock system will trip the pump when activated.
Chopper valve hand switches can be located at different locations for ease of access: (a) at valve,
(b) control room, (c) safe location - minimum 15-m away.
NOTE:
Solenoid valve have manual reset, e.g. a latch that requires the operator to physically be
in the field to unlatch it before continuing with the operation.
Separate detection system for low liquid level: level transmitter (LT) and controller (LIC)
are not used to activate the interlock system. The controller will however, provides low
level alarm before the critical shutdown level is reached, so that appropriate corrective
actions can be taken. Shutdown is usually only the last resort.
Proximity switches (ZSC and ZSO) provide feedback on chopper valve position (open or
close).
Depending on the system, pump RUN/STOP signal may be feedback by the system as
well.
Interlock Bypass
There are processes or equipment that are often very difficult to start up, either initially or after a
shutdown if they are tripped on "low" conditions. To avoid this difficulty, some interlocks have
bypasses that will avoid the low trip contact until the equipment or unit is running, and then
clears itself so that the trip action is now in place, i.e. when an abnormal low condition arises, the
system will trip. This is often used on compressor start-up, when low speed will trip the unit.
Sometimes, a time-delay action is used, where a pre-determined time is permitted to allow the
process to obtain its operating level. Bypasses may also be necessary in order to test components
on-line without tripping protected equipment. However, indiscriminate bypass of an interlock
system will compromise the protection function of the system.
A strict protocol should be followed when bypassing of interlock is attempted. Usually only
authorized personnel are permitted to bypass any interlock. This can be achieved either using a
key or manually operated switch. When a bypass is initiated, an alarm will be triggered.
